Post navigation

My worries about the security of the Greek Railways reservation system.

Those of us who have waited for hours in line in Sina Road in Athens to buy a railroad ticket to Thessaloniki, the introduction by OSE (ΟΣΕ- Hellenic Railways Organization S.A. and its subsidiary Trainose) of an online reservation system last year must have seemed like too good to be true, coming from an organization who is single-handedly responsible for a sizeable portion of Greece’s debt and still owes about 8 billion Euros to the Greek state (link to company’s unofficial blog in Greek).

Online reservations, according to the company, are currently responsible for 25% of the tickets booked in the busiest Athens-Thessaloniki line, as people obviously find it more convenient than the alternatives. As the system becomes better known, the company expects that in 2012 online reservations will account for 40% of total tickets booked.

I am deeply worried about the system which handles credit card information for thousands of travellers each day. The need for the utmost security is a concern that Trainose itself acknowledges. My worry is that this is a system, with which hackers are having or are going to have a field day, without the public being informed.

My worry is that this is a system, with which hackers are having or are going to have a field day, without necessarily the public being informed

The reasons for my worries are as follows:

First, I am concerned about the design of the system. In its second year of operation it is still extremely buggy: Trying to book a ticket today, I immediately reached the puzzling screen below, after I had to go back to the home screen, because the system would at first allow me, but then forbid me to make a reservation for the next 24hours. I found myself travelling from <NULL> to <NULL> with a not-so-helpful blank pop-up that should have been (I’m guessing) either a calendar or a list of train stations. I tried to repeat my reservation again, this time in English, starting fresh from the home page. Well, it turns out that the English language button is just for show… These are just a couple of many bugs for which people constantly complain about, according to the article by kathimerini newspaper. Such design flaws, still present in the second year of the system operation, do not bode well for the system’s (unobservable) security features.

Second, I am concerned about the management of the system. According to the president of Trainose, the reservation system was built and is being managed by the company itself which, according to the president, faces serious shortcoming of human and financial resources, for the development and management of the system. The president, according to the newspaper, and I do hope this is a misquote, claims that many of the system problems are caused by, how do I put this… «people stealing cables». The organization has indeed experience thefts of tons of valuable copper cables, used mainly for signaling, from very poorly guarded train stations and other rail network locations all over the country. But the combination of admitted understaffing and claims that my blank pop-up was caused by someone stealing copper cables from a warehouse, does not fill me with confidence that the system is being managed in a way that will prove superior to determined hackers from all over the world who break into systems, exactly like this one, for a living.

many of the system problems are caused by, how do I put this… «people stealing cables»

Finally, I am concerned about transparency. I will refrain from repeating stories of waste of taxpayer money and corruption, which are currently under investigation by the authorities, but I will say that, in the past, the company has operated in an extremely non-transparent way. Even if hackers were to penetrate the system and obtain sensitive credit card information, would the company inform the public? This is a serious concern for any organization, as companies have time and again tried to hide serious security breaches, involving customer financial data, but the history of ΟΣΕ in the field of transparency multiplies my worries tenfold.

Obviously this is a very important issue. The company should publicly commit that the safeguarding of customer financial data is a top strategic priority, second only to the physical safety of the passengers. It should hire respectable external advisers on matters of system security who will advise it on system design and on the processes that will need to be in place for the system to be secure. Finally, there should be transparency and accountability. I do not accept the argument that a company who spends hundreds of millions of Euros each year does not have the resources to make an online reservation system secure. Publicly complaining about lack of resources shows that the management is tying to avoid future responsibility for potential (and highly probable) serious security breaches.